CYBER RISKS & CYBER
INSURANCE
The
Cyber
Insurance
Consultancy
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
‘CYBER’ – WHERE DID IT COME FROM?
First coined from Mathematics Professor Norbert Wiener in 1948.
Ground breaking account of various systems that led and influenced
AI and complex systems.
“Cyber” itself is derived from a Greek term meaning ‘steersman’ or
‘governor’
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
A BRIEF HISTORY OF CYBER TIME
First policies
bound in the
US in the late
1990’s
Low product evolution
due to Y2K and 9/11
2016 -
US – Mature
UK/Europe – Growing
Asia/AU and NZ – Emerging
2008 –
Cyber Premiums
in region of $500m
Circa. 2000 –
First Betterley Report
on Cyber Insurance
2020 –
Global GWP
Estimated at $7.5bn
to $15bn
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
WHY BUY CYBER INSURANCE?
•  Privacy Legislation including the Australian Privacy Principles (APPs)
•  Forms part of an effective risk management framework
•  PCI-DSS obligations
•  Ubiquitous exposure - IoT
•  Lack of coverage within traditional insurance programs
•  Potential for system vulnerabilities
•  Benefits of accessing expertise when it is needed
•  Bad guys attack weaknesses not strengths
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
GREAT NEWS !! –
YOU HAVE THE SKILLS TO SELL
As an Insurance
Professional, you already
have risk transfer knowledge.
Risk considerations and
exposures associated with
Cyber are very similar to
those that businesses
already face.
Quite simply, a business
faces the impact of a Cyber
event on their operations and
revenue.
In addition to first party
exposures they have to third
parties (customers primarily).
In line with tradition, there will
be costs and expenses
associated with managing
impact:
-  including increased costs
of working
-  business interruption
-  defence costs
-  investigation costs
-  other expenses such as
expert services.
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
CYBER….YOUR FAMILIAR BUT NEW RISK
Fire Damage Business Interruption Event Expenses Third Party Actions
E-mail
attachment
contained the
Virus
Virus
Attack
Applications
and Data
Damage
3 weeks to
reconstitute
data and 3
months to
recover
BI
Systems &
Data
recovery
experts,
Customer
comms.
Event
Expense
Customers
bring action
following
exposure of
PII
Third
Party
Actions
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
CYBER COVERAGE
BI
Cost to replace, restore (data) from network breach
Costs of extortion monies and expenses
Business Interruption – loss of income and extra expenses
Identity theft
Breach of Privacy
Failure to protect confidential data
Transmission of spyware, viruses & code
Notification costs incurred
Regulatory Defence costs
PR and Crisis Management costs
Fine and Penalties
1st Party
3rd Party
Costs
Damage
Event
Expense
TPAs Event
Expense
Event
Expense
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
RISK TRANSFER OR COVER GAP?
TRADITIONAL
PROGRAM
COVERS
Versus
COVERAGE
SHORTFALLS
Unlikely that policies will provide cover for data breaches
Typically require physical loss or damage and may specifically exclude electronic data
Would usually only respond to actions bought against D&Os for ‘Wrongful Act’
Cover is not usually afforded for information/data breaches (unless part of ‘Professional Services)
Most Cyber extensions are only as effective as the underlying policy trigger
GL
D&O
/ML
PROP
PI/
E&O
EXTS.
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
LOSS SCENARIOS:
LOST LAPTOP
A laptop which is used by a
number of employees is left in a
coffee shop in the Sydney CBD. It
cannot be located.
The Laptop contains 25,000
customers records including
names, addresses and banking
information.
RANSOMWARE
A business owner opens their
first e-mail of the day.The
opening line reads “Your data has
been locked by us”.
The content is clear, there is a
threat that the company data will
be erased unless a ransom of 250
Bitcoins is paid.
SYSTEMVULNERABILITY
Personal and financial
information has been obtain via
security weaknesses in a
computer system. Over 250,000
identities implicated.
The Insured was made aware of
the breach/es by the Federal
Police and immediate cessation
of operations is required.
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
SCENARIO 1
A company laptop has been left in a coffee shop in the Sydney CBD. It cannot be located.
The Laptop contains 25,000 customers records including names, addresses and banking information.
LOST
LAPTOP
Most policies will cover the costs of
recovering data (but usually only as a
result of a ‘virus’ attack).
Policies do not typically cover physical
property and the laptop should be
insured under a property policy
1st Party
Most policies will provide cover for
actions bought against the insured for
breach or privacy or for damages as a
result of personal information
impacting a third party e.g. credit
history black marks.
3rd Party
•  Notifying customers of breach
•  Costs of monitoring credit reports
•  Defence costs in respect of third
party claims or regulatory
investigation/action
Costs
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
SCENARIO 2
Business owner opens an e-mail.The opening line reads “Your data has been locked by us”.
There is a threat that the company data will be erased unless a ransom of 250 Bitcoins is paid.
RANSOM
Extortion threats are usually covered
under market forms including the
payment of monies to release or
prevent data damage. However, the
recommendation is that no payment is
made, as monies demanded can
increase and there is no guarantee that
data will be left untouched
1st Party
In the event that any PII or PHI is
exposed then most policies will
respond to actions bought by third
parties and/or regulatory authorities
3rd Party
•  Costs of monitoring credit reports
•  Investigation and virus removal
costs
•  Defence costs in respect of third
party claims or regulatory
investigation/action
Costs
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au
SCENARIO 3
Personal and financial information has been obtain via a weaknesses in a computer system. Over 250,000
identities implicated.
Federal Police advised insured of the breach and immediate cessation of operations is required.
SYSTEM
VULNERABILITY
Should the investigation result in a
material impact to the operations of
the business preventing them from
operating, some policies do make
provision for impact on profit or
revenue
1st Party
In the event that any PII or PHI is
exposed then most policies will
respond to actions bought by third
parties and/or regulatory authorities.
3rd Party
•  Costs of monitoring credit reports
•  Investigation and virus removal
costs
•  Defence costs in respect of third
party claims or regulatory
investigation/action
Costs
Chris Stallard – Chief Insurance Imagineer
chris@zemstarinsurance.com.au

Cyber Insurance - The Basics

  • 1.
    CYBER RISKS &CYBER INSURANCE The Cyber Insurance Consultancy Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 2.
    ‘CYBER’ – WHEREDID IT COME FROM? First coined from Mathematics Professor Norbert Wiener in 1948. Ground breaking account of various systems that led and influenced AI and complex systems. “Cyber” itself is derived from a Greek term meaning ‘steersman’ or ‘governor’ Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 3.
    A BRIEF HISTORYOF CYBER TIME First policies bound in the US in the late 1990’s Low product evolution due to Y2K and 9/11 2016 - US – Mature UK/Europe – Growing Asia/AU and NZ – Emerging 2008 – Cyber Premiums in region of $500m Circa. 2000 – First Betterley Report on Cyber Insurance 2020 – Global GWP Estimated at $7.5bn to $15bn Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 4.
    WHY BUY CYBERINSURANCE? •  Privacy Legislation including the Australian Privacy Principles (APPs) •  Forms part of an effective risk management framework •  PCI-DSS obligations •  Ubiquitous exposure - IoT •  Lack of coverage within traditional insurance programs •  Potential for system vulnerabilities •  Benefits of accessing expertise when it is needed •  Bad guys attack weaknesses not strengths Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 5.
    GREAT NEWS !!– YOU HAVE THE SKILLS TO SELL As an Insurance Professional, you already have risk transfer knowledge. Risk considerations and exposures associated with Cyber are very similar to those that businesses already face. Quite simply, a business faces the impact of a Cyber event on their operations and revenue. In addition to first party exposures they have to third parties (customers primarily). In line with tradition, there will be costs and expenses associated with managing impact: -  including increased costs of working -  business interruption -  defence costs -  investigation costs -  other expenses such as expert services. Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 6.
    CYBER….YOUR FAMILIAR BUTNEW RISK Fire Damage Business Interruption Event Expenses Third Party Actions E-mail attachment contained the Virus Virus Attack Applications and Data Damage 3 weeks to reconstitute data and 3 months to recover BI Systems & Data recovery experts, Customer comms. Event Expense Customers bring action following exposure of PII Third Party Actions Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 7.
    CYBER COVERAGE BI Cost toreplace, restore (data) from network breach Costs of extortion monies and expenses Business Interruption – loss of income and extra expenses Identity theft Breach of Privacy Failure to protect confidential data Transmission of spyware, viruses & code Notification costs incurred Regulatory Defence costs PR and Crisis Management costs Fine and Penalties 1st Party 3rd Party Costs Damage Event Expense TPAs Event Expense Event Expense Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 8.
    RISK TRANSFER ORCOVER GAP? TRADITIONAL PROGRAM COVERS Versus COVERAGE SHORTFALLS Unlikely that policies will provide cover for data breaches Typically require physical loss or damage and may specifically exclude electronic data Would usually only respond to actions bought against D&Os for ‘Wrongful Act’ Cover is not usually afforded for information/data breaches (unless part of ‘Professional Services) Most Cyber extensions are only as effective as the underlying policy trigger GL D&O /ML PROP PI/ E&O EXTS. Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 9.
    LOSS SCENARIOS: LOST LAPTOP Alaptop which is used by a number of employees is left in a coffee shop in the Sydney CBD. It cannot be located. The Laptop contains 25,000 customers records including names, addresses and banking information. RANSOMWARE A business owner opens their first e-mail of the day.The opening line reads “Your data has been locked by us”. The content is clear, there is a threat that the company data will be erased unless a ransom of 250 Bitcoins is paid. SYSTEMVULNERABILITY Personal and financial information has been obtain via security weaknesses in a computer system. Over 250,000 identities implicated. The Insured was made aware of the breach/es by the Federal Police and immediate cessation of operations is required. Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 10.
    SCENARIO 1 A companylaptop has been left in a coffee shop in the Sydney CBD. It cannot be located. The Laptop contains 25,000 customers records including names, addresses and banking information. LOST LAPTOP Most policies will cover the costs of recovering data (but usually only as a result of a ‘virus’ attack). Policies do not typically cover physical property and the laptop should be insured under a property policy 1st Party Most policies will provide cover for actions bought against the insured for breach or privacy or for damages as a result of personal information impacting a third party e.g. credit history black marks. 3rd Party •  Notifying customers of breach •  Costs of monitoring credit reports •  Defence costs in respect of third party claims or regulatory investigation/action Costs Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 11.
    SCENARIO 2 Business owneropens an e-mail.The opening line reads “Your data has been locked by us”. There is a threat that the company data will be erased unless a ransom of 250 Bitcoins is paid. RANSOM Extortion threats are usually covered under market forms including the payment of monies to release or prevent data damage. However, the recommendation is that no payment is made, as monies demanded can increase and there is no guarantee that data will be left untouched 1st Party In the event that any PII or PHI is exposed then most policies will respond to actions bought by third parties and/or regulatory authorities 3rd Party •  Costs of monitoring credit reports •  Investigation and virus removal costs •  Defence costs in respect of third party claims or regulatory investigation/action Costs Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au
  • 12.
    SCENARIO 3 Personal andfinancial information has been obtain via a weaknesses in a computer system. Over 250,000 identities implicated. Federal Police advised insured of the breach and immediate cessation of operations is required. SYSTEM VULNERABILITY Should the investigation result in a material impact to the operations of the business preventing them from operating, some policies do make provision for impact on profit or revenue 1st Party In the event that any PII or PHI is exposed then most policies will respond to actions bought by third parties and/or regulatory authorities. 3rd Party •  Costs of monitoring credit reports •  Investigation and virus removal costs •  Defence costs in respect of third party claims or regulatory investigation/action Costs Chris Stallard – Chief Insurance Imagineer chris@zemstarinsurance.com.au